I'm a small MSP with alot of smaller clients that do not have static IP addresses. I use unifi for wireless but have been using pfsense for firewalls and just now checking out Opnsense. The issue I run into with pfsense is the lack of central management like unifi has. My customers often have static IP addresses and I am often in different locations and different IP's as well. Is there or are there any plans for a centralized management system for Opnsense, either cloud hosted or self hosted would be fine.
Based on what I've seen there is no such feature planned. There is an API which can be used for a limited set of features.
Why don't you have VPN tunnels (either roadwarrior or site2site from your office) to your clients?
Most of the time I even open the WebGui on the WAN side for 2-3 static ip-addresses in case there is something wrong with the VPN access.
There's a central management withing Business Edition:
https://shop.opnsense.com/product/opnsense-business-edition/
Or from my employer:
https://www.max-it.de/loesungen/opnsense-firewall/plugins/
Both only offer an overview which firewall is connected, a button to jump on UI and central upgrade management.
Since franco is now employed by Deciso I believe the business edition may get more features soon.
The Deciso offer is a steal for any commercial use. I will definitely buy this once we start migrating from Sidewinder to OPNsense for real. Thanks for the pointer.
Quote from: mimugmail on January 19, 2021, 08:56:21 AM
There's a central management withing Business Edition:
https://shop.opnsense.com/product/opnsense-business-edition/
Or from my employer:
https://www.max-it.de/loesungen/opnsense-firewall/plugins/
Both only offer an overview which firewall is connected, a button to jump on UI and central upgrade management.
Since franco is now employed by Deciso I believe the business edition may get more features soon.
Thank you @mimugmail.
Interesting. Are those tools self-hosted or cloud-based? Getting the status of all firewalls will be an API call, I think. But how is the connection to the WebGui made?
P.S.: just ordered the Deciso OPNsense Business Edition.
It's a sort of decentralised approach... Well, you need an OPNsense to run the management plugin but that's it.
Cheers,
Franco
Quote from: franco on January 19, 2021, 09:59:53 AM
It's a sort of decentralised approach... Well, you need an OPNsense to run the management plugin but that's it.
Cheers,
Franco
Do I need one license per OPNsense or is one license enough for all of my OPNsense boxes?
We are managing more than 50+ OPNsense here, all around the world ;)
So we have developped:
- a central management solution (cloud)
- a plugin (with some API extensions)
- a Zabbix template
So with this, OPNSense is provisionned from our CMS:
- custom settings (hostname, dns, plugins...)
- authentication
- firewall rules
- autossh service to an "hub" for dynamic IP/restricted WAN, and tunneling for GUI access
- full supervision by Zabbix (including running services)
- configuration/status (DHCP leases) access directly from our CMS
- remote upgrade, with scheduling
- alerts by email / slack : gateway status, services...
- daily XML backuping
This solution is currently oriented for our usage, but we can easily extend it.
You can contact us if you are interested!
Quote from: Gauss23 on January 19, 2021, 10:05:51 AMDo I need one license per OPNsense or is one license enough for all of my OPNsense boxes?
Business edition for all managed devices.
Cheers,
Franco
Quote from: franco on January 19, 2021, 12:34:59 PM
Quote from: Gauss23 on January 19, 2021, 10:05:51 AMDo I need one license per OPNsense or is one license enough for all of my OPNsense boxes?
Business edition for all managed devices.
Cheers,
Franco
Just to clarify because I am not clear. If I have 5 OPNsense boxes I want to centrally managed. Do I need 5 Business licenses or 1 business license?
5
Cheers,
Franco
Quote from: SimpleRezo on January 19, 2021, 11:18:55 AM
We are managing more than 50+ OPNsense here, all around the world ;)
So we have developped:
- a central management solution (cloud)
- a plugin (with some API extensions)
- a Zabbix template
So with this, OPNSense is provisionned from our CMS:
- custom settings (hostname, dns, plugins...)
- authentication
- firewall rules
- autossh service to an "hub" for dynamic IP/restricted WAN, and tunneling for GUI access
- full supervision by Zabbix (including running services)
- configuration/status (DHCP leases) access directly from our CMS
- remote upgrade, with scheduling
- alerts by email / slack : gateway status, services...
- daily XML backuping
This solution is currently oriented for our usage, but we can easily extend it.
You can contact us if you are interested!
I would be interested in learning more about this. Sent you a PM
How will be the communication between the centralized administration opnsense and the other opnsenses when I place a centralized device to internet?
Is there e.g. a cyclic polling of configuration possible or do I need a direct reachability from the central device to satelites or can I use a VPN wich is started from the satelite to the central instance?
Quote from: SimpleRezo on January 19, 2021, 11:18:55 AM
We are managing more than 50+ OPNsense here, all around the world ;)
So we have developped:
- a central management solution (cloud)
- a plugin (with some API extensions)
- a Zabbix template
So with this, OPNSense is provisionned from our CMS:
- custom settings (hostname, dns, plugins...)
- authentication
- firewall rules
- autossh service to an "hub" for dynamic IP/restricted WAN, and tunneling for GUI access
- full supervision by Zabbix (including running services)
- configuration/status (DHCP leases) access directly from our CMS
- remote upgrade, with scheduling
- alerts by email / slack : gateway status, services...
- daily XML backuping
This solution is currently oriented for our usage, but we can easily extend it.
You can contact us if you are interested!
I have sent you a PM
Quote from: KlausP on January 26, 2021, 09:28:15 AM
How will be the communication between the centralized administration opnsense and the other opnsenses when I place a centralized device to internet?
Is there e.g. a cyclic polling of configuration possible or do I need a direct reachability from the central device to satelites or can I use a VPN wich is started from the satelite to the central instance?
I need that information too.
Can central administration be done without a public ip at the clients?
Quote from: olest on April 23, 2021, 07:11:23 AM
I have sent you a PM
I will answer you for your PM, but for everyone else interested, we have created a page describing our solution:
https://srbox.simplerezo.com/
The solution is internally used for production, and we are just starting Early Access for third parties.
Quote from: olest on April 23, 2021, 07:12:39 AM
Quote from: KlausP on January 26, 2021, 09:28:15 AM
How will be the communication between the centralized administration opnsense and the other opnsenses when I place a centralized device to internet?
Is there e.g. a cyclic polling of configuration possible or do I need a direct reachability from the central device to satelites or can I use a VPN wich is started from the satelite to the central instance?
I need that information too.
Can central administration be done without a public ip at the clients?
Our solution works without a Public IP and any exposed ports :)
Olá eu também gostaria de saber mais informações sobre essa solução.